Questions on 1:1 NAT ?

RouterOS General
1

After going over the Wiki on setting up a 1:1 NAT, I still have a few questions (for you router guru’s out there), and want to make sure I understand the exact programming to make this work correctly?

First, on how the router (example) is setup:
WAN = 123.1.1.10/24 (Ether 13)
Lan 1 = 10.1.1.0/24 (Ether 1)
Lan 2 = 10.2.1.0/24 (Ether 2)
Lan 3 = 10.3.1.0/24 (Ether 3)
All these addresses are programmed into the router to the designated ports.

SNAT’s are already setup for “Masq” on the Lan Ports to the Wan port main address.
Example: chain - SRCNAT
Src add = 10.1.1.0/24
Dst add - 0.0.0.0/0
Out Port = Ether 13
Action = Masq

I want to 1:1 NAT address 10.1.1.5 to 123.1.1.11

According to the Wiki, I should setup the 2 following rules?
Chain = SRCNAT
Src add = 10.1.1.5/32
Dst add = 0.0.0.0/0
Out Interface = Ether 13
Action = Netmap
to Add. = 123.1.1.11

Chain = DSTNAT
Src add = 0.0.0.0/0
Dst add = 123.1.1.11
In Interface = Ether 13
Action = Netmap
to Add. = 10.1.1.5

Q1. Will this work as a 1:1 Nat as I need to have it work?

Q2. Will 123.1.1.11 need to be assigned to Ether 13 on the list of router IP addresses?

Q3. Do these rules need to be in front of the existing Masq rules?

Q4. If there is another user on any of the Lan ports that browses to the 123.1.1.11 address will they be automatically “forwarded” to the 10.1.1.5 address, even if they are on the same subnet ?

Thank you,
Wayne

2

  1. Yes, unless I overlooked something. And you don’t need to enter 0.0.0.0/0.

  2. Generally no, all you need is for packet to somehow reach the router. But in this case, if you don’t have routed subnet, but only subnet with ISP’s gateway, assigning 123.1.1.11 as second WAN address is the easiest way to make it work. Because when ISP’s router (with e.g. own 123.1.1.1/24) tries to reach 123.1.1.11, it will see it as directly connected, send an ARP request and your router must reply to that, otherwise the adress will be unreachable.

  3. Possibly yes, but it really depends on your exact rules. You must make sure, that packets get caught by right rule to get the translation you need.

  4. Obviously no, when your dstnat rule matches only packets coming from ether13. For source subnets other than 10.1.1.0/24 it should be enough to remove interface from the rule. For 10.1.1.0/24 itself you’ll also need hairpin NAT (see MikroTik wiki). And of course allow these connections in forward chain in both cases.

3

Thanks,
Wayne